Safety vulnerability ID: 53450
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Indico 3.2.3 updates its dependency 'cryptography ' to include a security fix.
Latest version: 3.3.6
Indico is a full-featured conference lifecycle management and meeting/lecture scheduling tool
-------------
*Released on February 23, 2023*
Security fixes
^^^^^^^^^^^^^^
- Sanitize HTML in global announcement messages
- Update `cryptography <https://pypi.org/project/cryptography/>`_ library due to
vulnerabilities in OpenSSL (:cve:`CVE-2023-0286`)
- Update `werkzeug <https://pypi.org/project/werkzeug/>`_ library due to a potential
Denial of Service vulnerability (:cve:`CVE-2023-25577`)
.. note::
The risk of malicious HTML (e.g. scripts) in the global announcement is minimal
as only Indico administrators can set such an announcement anyway. However, in the
unlikely case that an administrator becomes malicious or is compromised, they would
have been be able to perform XSS against their Indico instance.
Improvements
^^^^^^^^^^^^
- Include co-authors in abstract list columns and spreadsheet exports (:pr:`5605`)
- Include speakers in abstract list columns and spreadsheet exports (:pr:`5615`)
- Add an option to export all events in a series to ical at once (:issue:`5617`, :pr:`5620`)
- Make it possible to load more events in series management (:pr:`5629`)
- Check manually entered email addresses of speakers/authors/chairpersons
to avoid collisions and inconsistencies (:pr:`5478`)
- Add option to use review track as accepted track when bulk-accepting abstracts
(:pr:`5608`)
- Add setting to only allow managers to upload attachments to events and
contributions (:pr:`5597`)
- Support Markdown when writing global announcement and apply standard HTML
sanitization to the message (:pr:`5640`)
- Add BCC field on contribution email dialogs (:pr:`5637`)
- Allow filtering by location in room booking (:issue:`4291`, :pr:`5622`,
thanks :user:`mindouro`)
- Add button to adapt column widths in paper & contribution lists (:pr:`5642`)
- Add event language settings to set default and additional languages (:issue:`5606`,
:pr:`5607`, thanks :user:`vasantvohra`)
- Fail nicely when trying to import an event from another Indico instance (:issue:`5619`,
:pr:`5653`)
- Add option to send reminders to invited registrants who have not yet responded
(:issue:`5579`, :pr:`5654`)
- Hide the top box with the latest files of an editable until it has been accepted
and published (:issue:`5660`, :pr:`5665`)
- Allow uploading files when requesting changes on the editing timeline (:pr:`5612`)
- Add ``locked_fields`` to the identity provider settings in ``indico.conf`` to
prevent non-admin users from turning off their profile's personal data
synchronization (:pr:`5648`)
- Add an option to sync event persons with users (:pr:`5677`)
- Disallow repeated filenames in editing revisions (:pr:`5681`)
- Add setting to hide peer-reviewed papers from participants even after they have
been accepted (:issue:`5666`, :pr:`5671`)
- Prevent concurrent assignment of editors to editables (:pr:`5684`)
- Add color labels to the filter dropdown (:issue:`5675`, :pr:`5680`)
Bugfixes
^^^^^^^^
- Correctly show contribution authors in participant roles list (:pr:`5603`)
- Disable Sentry trace propagation to outgoing HTTP requests (:pr:`5604`)
- Include token in notification emails for private surveys (:pr:`5618`)
- Fix some API calls not working with personal access tokens (:pr:`5627`)
- Correctly handle paragraphs and linebreaks in plaintext conversion (:pr:`5623`)
- Send manager notifications and email participant if they withdraw from an event
(:issue:`5633`, :pr:`5638`, thanks :user:`kewisch`)
- Do not break registrations with purged accommodation fields (:issue:`5641`,
:pr:`5643`)
- Do not show blocked rooms as available on the very last day of the blocking
(:pr:`5663`)
- Do not show blocked rooms as available for admins unles they have admin override
mode enabled (:pr:`5663`)
- Fix roles resetting to the default ones when editing person data in an abstract
or contribution (:pr:`5664`)
- Correctly show paragraphs in CKEditor fields (:issue:`5624`, :pr:`5656`, thanks
:user:`kewisch`)
- Fix empty iCal file being attached when registering for a protected event
(:pr:`5688`)
Internal Changes
^^^^^^^^^^^^^^^^
- Add ``rh.before-check-access`` signal (:pr:`5639`, thanks :user:`omegak`)
- Add ``indico celery --watchman ...`` to run Celery with the Watchman reloader
(:pr:`5667`)
- Allow overriding the cache TTL for remote group membership checks (:pr:`5672`)
- Allow a custom editing workflow service to mark new editables as ready-for-review
without creating a new replacement revision (:pr:`5668`)
- Update Python dependencies (:pr:`5689`)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application